{ "threat_severity" : "Low", "public_date" : "2018-03-24T00:00:00Z", "bugzilla" : { "description" : "httpd: bypass with a trailing newline in the file name", "id" : "1560614", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1560614" }, "cvss3" : { "cvss3_base_score" : "3.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename." ], "statement" : "The \"FilesMatch\" directive is not enabled in the default httpd configuration as shipped with Red Hat Enterprise Linux, and needs to be explicitly enabled. Therefore this flaw has no impact on the default versions of the httpd package as shipped with Red Hat Enterprise Linux.\nRed Hat Satellite 6 uses Red Hat Enterprise Linux 7's httpd package, and enables the \"FilesMatch\" directive. However, this is not believed to have an impact on security, as, in the context of a Satellite, no one is expected to have the ability to modify file names in the concerned directories. This is not considered as a vector for attack.", "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-0:1-6.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-0:1.6.3-31.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_jk-0:1.2.46-1.redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-0:1-6.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-0:1.6.3-31.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.46-1.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0367", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2020-09-29T00:00:00Z", "advisory" : "RHSA-2020:3958", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "httpd-0:2.4.6-95.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-curl-0:7.61.1-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-httpd-0:2.4.34-7.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-nghttp2-0:1.7.1-7.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-curl-0:7.61.1-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-curl-0:7.61.1-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-curl-0:7.61.1-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-curl-0:7.61.1-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-7.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2018-11-13T00:00:00Z", "advisory" : "RHSA-2018:3558", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-7.el7" }, { "product_name" : "Text-Only JBCS", "release_date" : "2019-02-18T00:00:00Z", "advisory" : "RHSA-2019:0366", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "httpd" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat Mobile Application Platform 4", "fix_state" : "Not affected", "package_name" : "rhmap-httpd-docker", "cpe" : "cpe:/a:redhat:mobile_application_platform:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-15715\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-15715\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ], "name" : "CVE-2017-15715", "csaw" : false }